can CAS handle 3-strike scenario?

[Kim Cary]

Per se, I'm not sure 'sense' implies that CAS should do the password  
changing, given the myriad of authentication stores behind CAS.

If someone wanted to write and contribute an authentication handler  
with this feature for some common backends, e.g. AD & OpenLDAP, that  
would, I'm sure, be appreciated by a lot of people... some  
configurations might still not be able to use it, though.

In general, I can't conceive of how the project could build this in as  
a configurable feature... any API would not match up with all possible  
back ends, returning us to the need for custom code.

As it is, it seems possible for someone with Java experience to adapt  
a custom authentication handler that performs some checks with the  
supplied credentials (for expiration, for example, or as we would  
like, a check of whether the person has set their 'pw reset'  
questions, and then send the user to the correct page (pw change,  
reset question entry). I'm not such a person, but I'm not going to try  
to get Scott to write our module for me.

On Jan 23, 2009, at 3:44 PM, Michael Ströder wrote:

> hua lu wrote:
>> it would make more sense to allow the user to change password (with  
>> some
>> kind of rule, such as password Complexity) in CAS.